The Nsag infector story continues

Since we last reported on Nsag infectors, we’ve seen quite a lot of new malware related to Nsag.

There’s no real point in continuing to refer to this malware as Smitfraud, so we won’t.

Overall, the malware is the same old thing, but in slightly different clothing. Nsag.b infectors have taken the place of Nsag.a infectors. Although these new infectors aren’t really innovating, the Trojan-Downloaders that install these infectors are.

Most Trojan-Downloader.Win32.Zlob variants download numerous pieces of malware – most notably a Nsag.b infector and Trojan.Win32.Puper variants.

Zlob is interesting because of the technique it uses to download files.
It uses a new method to inject code into explorer.exe. This way it can download the malicious files without alerting the firewall.

It would seem that the creators are refining the way the Nsag infector gets introduced to the system rather then building new features into the infector itself.

This once again shows that the author(s) means business. This story is far from over.

The Nsag infector story continues

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox